Nextgen Gallery bypassing security roles

  • kf6bbl

    (@kf6bbl)


    8 years, 11 months ago

    On my site, the navigation menus are Pages. Since this alters the site design, I restrict regular users from creating, editing, deleting Pages. They are allowed access to Posts. They are also allowed to access NextGen Galleries.
    However in the process of creating a Nextgen Gallery, they have the option to ‘Create New Page’. This function bypasses the WordPress security roles, and allows non-authorized users to create Pages, which alters my site design in a bad way.

    This seems like a security bug to me.

    If anyone can help, am open to workaround, such as:

    • Hacking the plugin to remove the Create Page option
    • Hacking the plugin to force it to create a Post instead of a Page.

    Any ideas?
    How would I go about officially reporting a bug, or feature request?

    https://wordpress.org/plugins/nextgen-gallery/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter kf6bbl

    (@kf6bbl)

    8 years, 11 months ago

    FYI:
    Wordpress 4.2.2
    NextGen Gallery Version 2.0.79

    Plugin Contributor photocrati

    (@photocrati)

    8 years, 11 months ago

    @kf6bbl – This seems to possibly be an edge case scenario which depending on your setup could either be a workflow (read: Feature Request idea … see here: http://nextgen-gallery.com/feature-voting/) or possibly an oversight in our Create New Page routine which would best be reported here: http://nextgen-gallery.com/report-bug/

    Thanks!

    – Cais.

    Thread Starter kf6bbl

    (@kf6bbl)

    8 years, 11 months ago

    I’m not sure what qualifies an edge case other than no one has brought it up before, but basically anyone that both uses your plug-in and restricts users from adding pages, is effected by this. I will go ahead and add a bug per your link, however in the meantime I would appreciate any guidance you can share on a workaround.
    Can you tell me which file builds that part of the page?

    Thank You.

    Thread Starter kf6bbl

    (@kf6bbl)

    8 years, 11 months ago

    I should add here that I am using a plug-in “WPFront User Role Editor”. This allowed me granular control of permissions so that I could create a user class that cannot create pages, but still create galleries. So yea, could be considered and edge case I guess.

    Plugin Contributor photocrati

    (@photocrati)

    8 years, 11 months ago

    @kf6bbl – Let’s carry on the conversation within the Bug Report for the time being.

    Thanks!

    – Cais.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Nextgen Gallery bypassing security roles’ is closed to new replies.